MultiCom Technical Support Forum Index MultiCom Technical Support
Supporting MultiCom Routers, Firewalls and VPN
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How do I use the IPSec client of Windows 2000/XP?

 
Post new topic   Reply to topic    MultiCom Technical Support Forum Index -> 3.x IPSec
View previous topic :: View next topic  
Author Message
Support



Joined: 09 Oct 2002
Posts: 175
Location: Lausanne, Switzerland

PostPosted: Fri Mar 10, 06 12:21    Post subject: How do I use the IPSec client of Windows 2000/XP? Reply with quote

Configuring the Windows 2000/ XP IPSec client to connect to a secured network requires a detailed configuration. Fortunately there is an open-source software at http://vpn.ebootis.de/ that makes it extremely simple to build the IPSec policy. Simply follow the instructions at the site except use a preshared key instead of a PKI certificate (a PKI should also work but it has not been tested yet.)

  1. Install Windows 2000 Service Pack 2. It is mandatory to install this service pack or at least a Windows 2000 high encryption package to support the 3DES encryption which is needed by the MultiCom (there is no service pack needed on Windows XP.) This will also support NAT Traversal if needed.
  2. Install the IPSec support from the Windows CDROM
    * For XP - Ipeseccmd program. You have to install the Win XP Support tools. They reside on your Win XP CD in the directory \SUPPORT\TOOLS. Just start setup.exe in this directory. You have to select a Complete installation to get ipseccmd.
    * For Win2k - ipesecpol.exe Tool Version 1.22. This tool is included in the Windows 2000 Resource Kit. You also find it here: http://www.microsoft.com/windows2000/techinfo/reskit/default.asp
  3. Make a directory which will contain all of the files, for example C:\VPN
  4. Copy the ipsecpol.exe Tool (Windows 2000) or ipseccmd.exe Tool (Windows XP) in this directory
  5. Unpack the VPN tool in this Directory "IPSEC.exe" (available from http://vpn.ebootis.de/ )
  6. Update "ipsec.conf" to reflect your configuration. You find the syntax here or use the sample below.
  7. Make an entry for your client on your MultiCom Server (see screenshots)
  8. After you established your internet Connection start the "ipsec.exe" tool in the ipsec directory. The tool now looks up your IP Configuration and sets up the IPSec Tunnel based on your Configuration. - That's it!!
  9. To delete the policies you may call "ipsec.exe -delete". In the same way "ipesec.exe -off" disables the policy
NAT-Traversal is supported by default in XP SP2 only. Windows 2000, XP, and XP SP1 will need to get the NAT-Traversal patch from Microsoft's site http://support.microsoft.com/default.aspx?scid=kb;en-us;818043 . You need this functionality to be able to make a connection through a NAT firewall.

The ipsec.conf file that I used in both cases on the XP machine. You will need to change it to match the parameters of your own network.
Code:
conn MultiCom
      left=%any
      right=ipsecgateway.example.com
      rightsubnet=11.0.0.0/8
      presharedkey=firewall
      network=auto
      auto=start
      pfs=no

Below is an example of a connection being made:
Code:
C:\vpn>ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Setting up IPSec ...
 
        Deactivating old policy...
        Removing old policy...
 
Connection MultiCom:
        MyTunnel     : 10.0.0.5
        MyNet        : 10.0.0.5/255.255.255.255
        PartnerTunnel: ipsecgateway.example.com
        PartnerNet   : 11.0.0.0/255.0.0.0
        CA (ID)      : Preshared Key ******************
        PFS          : n
        Auto         : start
        Auth.Mode    : MD5
        Rekeying     : 3600S/50000K
        Activating policy...
 
C:\vpn>ping 11.0.0.1
 
Pinging 11.0.0.1 with 32 bytes of data:
 
Negotiating IP Security.
Request timed out.
Request timed out.
Request timed out.

NOTE: the pings might not get through because of the XP SP2 firewall may be blocking them. You can access the other subnet using other services however like HTTP (or of course deactivate the XP SP2 firewall.).

If you have syslog activated on the MultiCom you will see the IPSec connection being built (or if there was an error in the configuration). Below is an example of this connection being made.
Code:
pluto[583]: packet from 81.62.74.136:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[583]: packet from 81.62.74.136:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[583]: packet from 81.62.74.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[583]: packet from 81.62.74.136:500: ignoring Vendor ID payload [26244d38eddb61b3...]
pluto[583]: "Roadwarriors"[3] 81.62.74.136 #56: responding to Main Mode from unknown peer 81.62.74.136
pluto[583]: "Roadwarriors"[3] 81.62.74.136 #56: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[583]: "Roadwarriors"[3] 81.62.74.136 #56: Main mode peer ID is ID_FQDN: '@aran'
pluto[583]: "Roadwarriors"[4] 81.62.74.136 #56: deleting connection "Roadwarriors" instance with peer 81.62.74.136
pluto[583]: | NAT-T: new mapping 81.62.74.136:500/4500)
pluto[583]: "Roadwarriors"[4] 81.62.74.136:4500 #56: sent MR3, ISAKMP SA established
pluto[583]: "Roadwarriors"[4] 81.62.74.136:4500 #57: responding to Quick Mode
pluto[583]: "Roadwarriors"[4] 81.62.74.136:4500 #57: IPsec SA established

Additional information can be found here:
Microsoft's Basic IPSec Troubleshooting page: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225 and
http://www.natecarlson.com/linux/ipsec-x509.php .

Screenshots of the MultiCom Configuration are available below.
  • IPSec Global Panel Create the new connection, enter in the IP parameters of the local side of the network with the Remote Address is 0.0.0.0/0 and Remote Gateway is 0.0.0.0, and activate Allow Subnet. This allow any IP address to try and connect and as many connections as the purchased IPSec license allows. Be sure that both IPSec and the connection are enabled.
  • IPSec Keys Panel Add the Preshared key, in this example "firewall" without any local/ remote IDs.
  • IPSec IKE Panel Choose the Preshared Key and for simplicity deactivate Perfect Forward Security (PFS) and Dead Peer Detection (DPD).
  • IPSec Options Panel Enable NAT-Traversal.
  • NAT Interface Panel If the Securewall is active then be sure to redirect UDP 500, UDP 4500 & ESP traffic to internal. Otherwise this traffic will not be allowed to the Firewall.
  • Monitor IPSec Details Panel After a connection is made the Monitor can show the status.
  • Monitor IPSec Summary Panel If more than one IPSec connection is active all of them can be shown in the Summary Panel.
  • Monitor Routes Panel For each successfully connected IPSec client there will be a new routing entry in the routing table to tell the Firewall to send that traffic to the IPSec service for encryption and delivery.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    MultiCom Technical Support Forum Index -> 3.x IPSec All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group